From 85485ea28c25492b4b847074a198e608e4a29b5d Mon Sep 17 00:00:00 2001 From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> Date: Tue, 17 Sep 2024 18:03:46 +0200 Subject: OpenVPN: heuristic: add a simple check to avoid false positives (#2560) We should have too big packets during the initial handshake --- src/lib/protocols/openvpn.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src') diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 1c63f5ecd..bf34bf3a9 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -417,6 +417,10 @@ static int search_heur_opcode(struct ndpi_detection_module_struct* ndpi_struct, iter, offset, pdu_len); if(pdu_len < 14) return 1; /* Exclude */ + if(pdu_len > 4 * 1500) { /* 4 full size packets: simple threshold to avoid false positives */ + NDPI_LOG_DBG2(ndpi_struct, "Heur-opcode: pdu_len %d too big. Exclude\n", pdu_len); + return 1; /* Exclude */ + } rc = search_heur_opcode_common(ndpi_struct, flow, *(ovpn_payload + offset + 2)); NDPI_LOG_DBG2(ndpi_struct, "Heur-opcode: TCP, rc %d\n", rc); if(rc > 0) /* Exclude || Found --> stop */ -- cgit v1.2.3